Field Notice: FN - 72545 - Cisco SD-WAN: DigiCert Controller Certificate Authorization Option No Longer Supported after March 31, 2023 - Configuration Change Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	10-Feb-23	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	SD-WAN Software Update	19.1	19.1.0, 19.1.0a
NON-IOS	SD-WAN Software Update	19.2	19.2.1, 19.2.2, 19.2.3, 19.2.4, 19.2.31, 19.2.32
NON-IOS	SD-WAN Software Update	19.3	19.3.0
NON-IOS	SD-WAN Software Update	20.1	20.1.1, 20.1.1.1, 20.1.2, 20.1.3, 20.1.12
NON-IOS	SD-WAN Software Update	20.3	20.3.1, 20.3.2, 20.3.2.1, 20.3.3, 20.3.3.1, 20.3.4, 20.3.4.1, 20.3.4.2, 20.3.5, 20.3.6
NON-IOS	SD-WAN Software Update	20.4	20.4.1, 20.4.1.1, 20.4.1.2, 20.4.2, 20.4.2.1, 20.4.2.2
NON-IOS	SD-WAN Software Update	20.5	20.5.1, 20.5.1.1, 20.5.1.2
NON-IOS	SD-WAN Software Update	20.6	20.6.1, 20.6.1.1, 20.6.2, 20.6.2.1, 20.6.2.2, 20.6.3, 20.6.3.1, 20.6.4
NON-IOS	SD-WAN Software Update	20.7	20.7.1, 20.7.1.1, 20.7.2
NON-IOS	SD-WAN Software Update	20.8	20.8.1
NON-IOS	SD-WAN Software Update	20.9	20.9.1, 20.9.1.1, 20.9.2, 20.9.2.1
NON-IOS	SD-WAN Software Update	20.10	20.10.1

Defect Information

Defect ID	Headline
CSCwd62789	Digicert/Symantec Certification will be removed from 20.11

Problem Description

Beginning March 31, 2023, Cisco will no longer sponsor DigiCert (formerly Symantec) controller X.509 certificates for Cisco SD-WAN. After that date, Cisco will not approve DigiCert certificates to be signed and released. This includes certificate signing requests (CSRs) sent to DigiCert from vManage or manually submitted on the DigiCert portal. Existing Cisco SD-WAN DigiCert controller certificates will continue to be valid until those certificates expire. However, once those controller certificates expire, they cannot be renewed with new DigiCert certificates. Without valid certificates installed on the controllers, all Cisco SD-WAN control connections will fail.

Background

Cisco SD-WAN provides multiple options to source and maintain the X.509 certificates used to authorize controller connections. One of those options relies on a Cisco sponsored DigiCert (formerly Symantec) certificate authority (CA) to sign and issue controller certificates. This option is available via the DigiCert Controller Certificate Authorization feature in vManage. After careful planning, we have determined the DigiCert Controller Certificate Authorization feature no longer aligns with our strategic direction for Cisco SD-WAN. We announced End of Support for this feature, effective March 31, 2023. Beginning March 31, 2023, we will no longer approve DigiCert CSRs to be signed and released.

End of Support for the DigiCert Controller Certificate Authorization feature is not caused by a specific software defect or change in the DigiCert CA. Nonetheless, if you currently use this feature, you will need to take action to migrate to a different controller certificate method before your current certificates expire. Follow the instructions in the Workaround/Solution section in order to avoid service disruption.

Problem Symptom

After March 31, 2023, if you open a Cisco Technical Assistance Center (TAC) case to have a DigiCert CSR approved, you will be advised that your request cannot be processed.

Workaround/Solution

If your Cisco SD-WAN controllers are currently configured for DigiCert controller certificate authorization, you must switch to one of the other supported certificate methods. There are two options available.

Option 1. Migrate to Cisco Public Key Infrastructure (Preferred Approach)

The Cisco Public Key Infrastructure (PKI) option is available with SD-WAN Controller software version 19.2.3 and later. This option offers several advantages, which include:

• Cisco PKI provides certificate management and can be used as a CA to sign Cisco SD-WAN controller certificates at no additional charge.
• Cisco PKI CSRs are automatically approved and released. No manual intervention is required via a Cisco TAC case to get a CSR signed and approved.
  Note: You still need to trigger the certificate renewal via the "Generate CSR" option in vManage.

Consult the DigiCert Certificate to Cisco PKI Certificate Migration Guide for details on how to implement this option.

Option 2. Configure Cisco SD-WAN for Enterprise Certificates

If you prefer not to migrate to Cisco PKI or cannot meet the minimum software requirements, you can configure vManage to use Enterprise Certificates for controller certificate authorization. The Enterprise Certificates option provides the flexibility to source certificates directly from any commercial PKI provider such as DigiCert or from a private CA within your own organization. With Enterprise Certificates, you must purchase the controller certificates directly from a commercial PKI vendor (or internal private CA) and manually install them in Cisco SD-WAN.

Consult the "Enterprise Root Certificate Authority (CA)" chapter of the Cisco SD-WAN Controller Certificates and Authorized Serial Number File Prescriptive Deployment Guide for Enterprise Certificates configuration and operation instructions.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email or telephone

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.